FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff
Article Id 192577

Description
This article describes how to set up RADIUS authentication in addition to requiring client certificates for SSL VPN authentication.

Fortinet Documentation:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/490351/ssl-vpn-authentication

Scope
FortiGate 6.2.2 and higher.


Solution
Combining RADIUS/LDAP authentication and requiring specific client certificates for SSL VPN is possible.
FortiGate cannot combine 'user peer' (required to specify what certificates match) and 'user LDAP/user RADIUS' and require login attempts to match both.

To achieve this, follow the steps below:

1) User peer for certificate matching.

# config user peer
   edit "cert-user"
      set ca "CA_1"
      set subject "OU = your_org"
   next
end

2) RADIUS (or LDAP) server.

# config user radius
   edit "Radius"
      set server "10.0.0.1"
      set secret ENC XXXX
   next
end

# config user ldap
   edit “LDAP”
      set server “10.0.0.2”
      set dn “OU=your_org,DC=domain,DC=org”
      set type regular
      set user “CN=admin,OU=your_org,DC=domain,DC=org”
      set password ENC XXX
   next
end

3) User group.

# config user group
   edit "radius-group"
      set member "Radius"
      config match
         edit 1
         set server-name "Radius"
         set group-name "VPN-test"
      end
   next
   edit “ldap-group”
      set member “LDAP”
   next
   [...]
end

4) VPN SSL settings.

# config vpn ssl setting
   set reqclientcert enable
   set user-peer "cert-user"
   set servercert "vpn-server-cert"
   set tunnel-ip-pools "tunnel-ip-pool"
   set port 443
   set source-interface "wan1"
   set source-address all
   set default-portal "tunnel-access"
# config authentication-rule
      edit 1
         set group "test-group"
         set client-cert enable
         set user-peer "cert-user"
      next
      edit 2
      [...]
   end
end

 

Advanced Setup: Mixing authentication with and without certificate requirements

Allowing both authentication with and without user certificates in the same general SSLVPN setup becomes a bit more complicated due the order FortiGate applies to check certificates and match against realms.
This requires at least two SSLVPN realms and a DNS record for each realm, all resolving to the SSLVPN interface IP.


-Two DNS records, cert.domain.org and nocert.domain.org resolving to FortiGate VPN interface IP (such as wan1 IP)
-Two VPN realms matching the DNS records

# conf vpn ssl web realm
   edit realm-1
      set virtual-host “cert.domain.org”
   next
   edit realm-2
      set virtual-host “nocert.domain.org”
   next
[...]
end

- FortiGate server cert must be wildcard (*.domain.com) or include the two DNS records above as Subject Alternative Name entries.
- Each realm needs to match an authentication rule:

# config vpn ssl setting
   config authentication rule
      edit 1
         set realm realm-1
      next
      edit 2

         set realm realm-2
      next
      [...]
   end
end

- The Server Name Indication (SNI) attributes in TLS handshake will allow the FortiGate to match the correct authentication rule at the beginning and require certificates accordingly.

 

Careful:

- In 6.2, If the above is not configured, FortiGate may fall-through to authentication rules that do not require client certificates.

- In 6.4, if the above is configured, this may cause certificate requirements for any realm accessed via default URL https://<FortiGate>/<realm>

 

A new configuration option was introduced in 6.4 regarding unintended certificate requirements for any realm accessed via https://<FortiGate>/<realm>

# config vpn ssl web realm
     edit <realm>
         set virtual-host-only enable
      next
     [...]
  end

This setting enforces access to the specified realms via the virtual host only (https://<realm>.<FortiGate>), and ensures the realm in question cannot be visited via the default URL (https://<FortiGate>/<realm>).

This needs to be set for all realms associated with certificate requirements, so that certificate checks are only done for specified virtual-host realms, and any other virtual-host realms (and non-virtual-host realms) do not trigger a certificate request.

Contributors